Method for encryption of information

ABSTRACT

The method involves modifying an encryption key (Kc) in accordance with a given algorithm and in dependence on the ordinal number of a time slot to obtain a modified encryption key. A modified pseudo-random sequence is formed from the resultant modified encryption key. The modification is carried out in accordance with the aid of an encryption algorithm. A logical operation is performed on the modified pseudo-random sequence and for each block of the non-encrypted information. Preferably the operation is performed on the information block that belongs to the time slot whose ordinal number has been used to form the modified encryption key. As an additional option, the frame number can also be modified in accordance with a given algorithm and in dependence on the ordinal number of the relevant time slot. The method provides reliable encryption in TDMA mobile radio systems in which two or more time slots are used for one and the same transmission without requiring any substantial changes to signaling protocol and/or system equipment.

FIELD OF INVENTION

The present invention relates to a method of encrypting informationbetween a stationary network and a mobile station in a mobile radiosystem of the time division multiple access type (TDMA system).

More specifically, the invention relates to methods of encrypting thetransmitted information in a more secure fashion in conjunction with anauthorization check on the mobile by the network and when a multiple oftime slots are used for the same user (mobile station).

DESCRIPTION OF THE BACKGROUND ART

The GSM-network, common in Europe, is a mobile radio network that usestime division multiple access (TDMA). As with other mobile radionetworks, the GSM network employs authorization checks and encryption oftransmitted messages. With regard to the GSM network, this is specifiedin "GSM specification 03.20", May 1994, issued by ETSI (EuropeanTelecommunication Standard Institute) and hereinafter referred to asETSI/GSM 03.20. The various algorithms used in authorization checks andencryption are described in this reference.

As described in ETSI/GSM 03.20, an algorithm A3 is used to effect actualauthorization checks between network and subscriber apparatus. Asfurther described, an algorithm A5 is used for encryption of the payloadinformation to be transmitted, and an algorithm A8 is used to form, fromthe subscriber authorization key Ki, an encryption key Kc.

As a rule, only one time slot per frame for a given connection is usedin TDMA-type time division mobile radio systems; see ETSI/GSM 05.02.

The use of two or more time slots, not necessarily consecutive timeslots, in a transmission frame has been proposed, see ETSI/STC SMG3, Tdoc SMG3 WPA 95A dated Aug. 29, 1995 (Nokia Telecommunications), seeparticularly point 5 "HSCSD Architecture". This provides the advantageof enabling larger quantities of information to be transmitted per unitof time (applicable particularly to data transmissions), but has thedrawback of increasing bandwidth.

SUMMARY OF THE INVENTION

The inclusion in a GSM system of two or more time slots instead of onetime slot for one and the same radio transmission in accordance with theaforegoing creates certain problems when encryption and authorizationchecks are to be employed.

The most obvious procedure would be to process each of the time slotsseparately and to process the information in accordance with earlierknown principles. However, such procedures would require drasticmodification to the existing signalling protocols and to equipment onboth the network side and the mobile station side.

It would be desirable to avoid such modifications to existing standardsand equipment to the greatest possible extent. The use of the samepseudo-random sequence for all time slots within one and the same frameand for a given frame number is proposed in the aforementioned ETSIdocument, ETSI/T doc SMG3, "First HSCSD stage 2 draft". The drawbackwith this method is that it is necessary to compromise betweenencryption safety and procedure simplicity. When two separate burstsbelonging to one and the same user are transmitted in this manner whileusing the same encryption sequence (pseudo-random sequence), theinfluence of the encryption can be eliminated relatively simply, bycarrying out simple EXOR operations.

The object of the present invention is therefore to provide methods forreliable encryption in a TDMA-type mobile radio system in which two ormore time slots are used for one and the same transmission withoutneeding to make substantial changes to the signalling protocol and/orsystem equipment.

In this regard, an inventive method is characterized by the features setforth in the following claim 1. Another inventive method ischaracterized by the features set forth in the accompanying claim 3.Further inventive methods are characterized by the features set forth inaccompanying claims 4 and 5.

BRIEF DESCRIPTION OF THE DRAWINGS

The aforesaid inventive methods will now be described in more detailwith reference to the accompanying drawings.

FIG. 1 illustrates, schematically, signalling between a network side anda mobile station side in a mobile radio system during the authorizationcheck procedure.

FIG. 2 is a block diagram illustrating known information encryption inthe system illustrated in FIG. 1.

FIG. 3 is a block diagram which symbolizes the algorithms used in two ofthe inventive methods.

FIG. 4 is a block diagram symbolizing the algorithms used in a thirdinventive method.

FIGS. 5-8 illustrate the method steps of the various exemplaryembodiments of the present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 is a simplified schematic illustration of a mobile radio system,for instance a GSM-system. The system has a network side "NETWORK" and amobile station side "Mobile".

The network side includes a base station system BSS which is connectedto a mobile switching centre MSC, which is connected, in turn, to thepublic telephone network (not shown). The base station system BSStypically includes a base transceiver station BTS and a base stationcontroller BSC (not shown). In reality, a plurality of base stationsystems are connected to the mobile switching centre MSC on the networkside, while the mobile station side includes a plurality of mobilestations that can communicate simultaneously with the base stationsystem BSS. The network side and the mobile station side transmitinformation via radio signals over an air interface which is symbolizedin FIG. 1 with the reference TR.

Before the actual information is transmitted and received between thenetwork and a given mobile station MS, the network is obliged to checkthe authorization of the mobile station MS. This authorization check iscarried out in accordance with known principles, whereby the network,i.e. the base station system BSS, sends a random number (so-called"random challenge") RAND to the mobile station MS over a dedicatedcontrol channel DCCH.

The mobile station MS receives the random number RAND and forms aresponse SRES (signed response) from this random number and from themobile station's own key Ki in accordance with a given algorithm A3, asdescribed on page 50 of the aforesaid ETSI/GSM 03.20.

At the same time, the mobile station MS compiles an encryption key Kcfrom the key Ki in accordance with another algorithm A8. The responseSRES is sent to the base station system BSS, while the encryption key Kcis used in the encryption carried out in the mobile station inaccordance with the following. A comparison is made in the base stationsystem BSS with corresponding values of SRES calculated by the mobileswitching center (MSC) in accordance with the same conventionalalgorithms A3 and A8 found in the mobile station MS. When a coincidentalresult is obtained, the mobile station is considered to be authorizedand communication can continue. The continued information transmissionwill thereafter be encrypted in accordance with a given algorithm AS, asdescribed on pages 48-49 of ETSI/GSM 03.20.

Thus, the network includes an algorithm block AN which stores andcarries out an authorization check in accordance with the algorithms A3and A8 and encryption in accordance with the algorithm A5. The mobilestation MS includes a corresponding algorithm block AM which stores andcarries out an authorization check in accordance with the samealgorithms A3 and A8 and encryption in accordance with the algorithm A5.

The encryption key Kc is generated by the mobile switching center (MSC)on the basis of the mobile station's encryption key Ki, which is knownto the mobile telephone switching centre. Subsequent to making theauthorization check, (algorithm A3), the mobile telephone switchingcentre MSC sends the key Kc to the base station system BSS andencryption of payload information can be commenced with the aid of theagreed encryption key Kc.

FIG. 2 illustrates schematically the manner in which the payloadinformation is encrypted and formatted for transmission over two timeslots TS1, TS2 in accordance with the aforesaid NOKIA proposal.

Normally, the payload information is divided from, e.g., a speech frameinto one or more blocks each of 114 bits. One such block is encrypted inaccordance with the algorithm A5 and sent during a burst in a given timeslot, optionally interfoliated with another adjacent block. The nextencrypted block then follows. As illustrated in FIG. 2, when two timeslots in a given frame are available, an information block is nowdivided into two sub-blocks B1 and B2, each containing 114 bits, andeach block is encrypted with the same pseudorandom sequence PS of 114bits as normal, by carrying out two EXOR operations shown in FIG. 2.

The pseudo-random sequence PS is obtained from an ordinal number FN ofthe frame in which the time slots TS1, TS2 are located whose information(blocks B1 and B2) shall be encrypted. Two encrypted information blocksBK1 and BK2 are obtained and these blocks are then formatted byinserting a sync. and training sequence in a known manner (marked with Xin FIG. 2). As before mentioned, the drawback with this encryptionmethod is that the same encryption sequence is used two times for twoseparate time slots which means that non-encrypted information can berecovered from each of the two time slots by an EXOR operation betweenthe encrypted information.

In accordance with the present invention, the time slot ordinal numberor an equivalent to this number is inserted into the frame as a furtherparameter when encrypting. As a result, when transmitting in two timeslots within the same frame, the transmitted information will beindependently encrypted and encryption security therewith furtherenhanced in comparison to the case when only the frame number (inaddition to the encryption key) is used. If, as is normal, a user usesonly one time slot per frame, no time-slot dependent encryption isrequired because the user's authorization key is unique for a certaintime slot. By modifying the input parameters (code key Kc, frame numberFN) in direct dependence on the ordinal number of a time slot in a framein accordance with the present invention, it is possible to apply theoriginal algorithms without needing to make any substantial change tothe signalling protocol, as before described, or to the radio equipment.

FIG. 3 is a block diagram illustrating the use of the original algorithmA5 with modified input magnitudes in accordance with the presentinvention.

The block AB in FIG. 3 symbolizes the original algorithm A5, which isspecified in accordance with GSM 03.20. The encryption key Kc is nowmodified in accordance with the ordinal number TSn=TS1 of the relevanttime slot, namely the time slot in the frame during which a first blockB1 according to FIG. 2 shall be transmitted (possibly interfoliated withan adjacent block, although the principle is the same). In this regard,circle 1 symbolizes a calculation algorithm ALG for obtaining a modifiedvalue Kc1 of the encryption key. The same algorithm can be used for alltime slots in the frame, such that

    ALG1(Kc,TSn)=Kcn'.

It is not necessary to modify all encryption keys and one key may beidentical to the normal encryption key Kc for a given time slot.

Similarly, the frame ordinal number FN is modified in dependence on theordinal number TSn=TS1 of the relevant time slot in the frame withinwhich the first block B1 in FIG. 2 shall be transmitted. Circle 2therewith symbolizes a calculation algorithm ALG2 for obtaining themodified value FN' of the frame ordinal number. The same algorithm canbe used for all time slots in the frame, such that

    ALG2(FN,TSn)=FNn'.

The two algorithms ALG1 and ALG2 need not be equal.

Furthermore, one of the modified frame numbers FNn' may be identical tothe normal FN.

In both of the aforesaid cases, there is obtained an output magnitude inthe form of a modified pseudo-random sequence PSm' (see steps of FIG. 7)which is used in the same way as that shown in FIG. 2.

It will be understood that the sequence PSm' can also be generatedeither

a) by solely using a modified value Kc' on the encryption key and anunchanged value FN on the frame number, i.e. the algorithm 2 is notused; (see steps of FIG. 5) or

b) by solely using a modified value FN' on the frame number FN and anunchanged value on the encryption key Kc, i.e. the algorithm 1 is not(see steps of FIG. 6) used.

FIG. 4 is a block diagram similar to the block diagram of FIG. 3, butnow with totally unchanged input values Kc, FN to the algorithm A5.Instead, the time slot ordinal number TSn (or a value equivalent to saidordinal number) is used as a control value for an algorithm ALG3symbolized by circle 3 for modifying the normal pseudo-random sequencePS obtained from Kc and FN(see steps of FIG. 8). This algorithm ALG3 mayconsist in a certain permutation, shift, reordering of values; etc., inthe pseudo-random sequence PS, so as to obtain a new sequence PSm'. Thesequence may optionally be divided into blocks of 114 bits prior toreformulation, and the values in one or more blocks can be mixed toobtain the new values with an unchanged number of bits (114) in eachblock.

It is also possible to combine the algorithms ALG1,2 in FIG. 3 with thealgorithm ALG3 according to FIG. 4.

The aforedescribed embodiments of the proposed method relate totransmission cases. It will be understood that in the case of receptionwherein incoming information shall be decrypted, the values of Kc and FNand the sequence PS will be modified to Kc', FN' and PSm' respectivelyin accordance with the agreed algorithms ALG1, ALG3 and ALG3 asdescribed above.

I claim:
 1. A method of encrypting information transmitted between abase station and a mobile station in a time division multiple access(TDMA) mobile radio system wherein said information is divided into atleast two blocks and transmitted in separate time slots in each frame ina frame sequence, said method of encrypting information comprising thesteps of:a) obtaining a first encryption key; b) for each time slot usedfor transmission of said information, modifying said first encryptionkey in dependence on an ordinal number of the time slot so as to obtaina modified encryption key; c) for each time slot, forming apseudo-random sequence from its modified encryption key and from anordinal number of a frame in which the information is transmitted inaccordance with an encryption algorithm; and d) for each frame and timeslot, performing a logic operation between its correspondingpseudo-random sequence and the information to be transmitted.
 2. Themethod according to claim 1, wherein the logic operation of step d) isperformed on each information block that belongs to the time slot whoseordinal number has been used to form said modified encryption key.